From owner-freebsd-questions@FreeBSD.ORG Wed Jul 23 11:57:59 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFDDF37B401 for ; Wed, 23 Jul 2003 11:57:59 -0700 (PDT) Received: from hotmail.com (sea1-f81.sea1.hotmail.com [207.68.163.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5379143F3F for ; Wed, 23 Jul 2003 11:57:59 -0700 (PDT) (envelope-from gs_stoller@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 23 Jul 2003 11:57:59 -0700 Received: from 205.184.160.213 by sea1fd.sea1.hotmail.msn.com with HTTP; Wed, 23 Jul 2003 18:57:58 GMT X-Originating-IP: [205.184.160.213] X-Originating-Email: [gs_stoller@hotmail.com] From: "Gerald S. Stoller" To: dnelson@allantgroup.com, ryan@sasknow.com Date: Wed, 23 Jul 2003 14:57:58 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 23 Jul 2003 18:57:59.0162 (UTC) FILETIME=[5593CDA0:01C3514C] cc: vze25pmf@verizon.net cc: freebsd-questions@freebsd.org Subject: Re: set user-id X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 18:58:00 -0000 >From: Dan Nelson >To: Ryan Thompson >CC: "Gerald S. Stoller" , vze25pmf@verizon.net, >FreeBSD Questions >Subject: Re: set user-id >Date: Tue, 22 Jul 2003 14:37:29 -0500 > >In the last episode (Jul 22), Ryan Thompson said: > > If you *really* want to have suid scripts, your binary wrapper idea is > > quite a common trick. Don't get fancy with it, though. A one-liner to > > execve(2) should really be all you need. Either that, or re-code the > > whole thing in C (or some other compiled language). C can introduce > > insecurities of its own, but at least you'd (arguably) have put them > > there yourself. :-) > >I use sudo for stuff like this. I add a line like this in sudoers: > I don't understand the next line! >ALL ALL = NOPASSWD: /usr/local/bin/thescript ??? Setting a variable?? Okay, invoking the script > >and put this it the top of thescript: > >#! /bin/sh >if [ $(id -u) -ne 0 ] ; then > if [ "$TRYINGSUDO" = "1" ] ; then > echo "Cannot get admin priviledges! Exiting" > exit 1 > else > export TRYINGSUDO=1 > exec sudo $0 "$@" > fi >fi > >-- > Dan Nelson > dnelson@allantgroup.com I tried a suggestion by Ryan (slipping in something from his email) >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D with a slight change, I copied ksh to /bin with the name kshroot , made sure that the group on it is the group of root , and then did chmod 4750 /bin/kshroot Thus only the users who are 'close to' root (e.g., generally users who have the root password so they can become root if necessary) can run this shell whenever they need to act as root , and can use it in scripts (first line: #!/bin/kshroot). Again note that these scripts can only be invoked by users who are 'close to' root. For the other users, I'd have to use a sudo. _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus